A symmetrization technique for continuous-variable quantum key distribution 



(N 

O 

<N 

X) 
O 



a- 



>: 
o, 

OS' 

d 



X: 



Anthony Leverrier 

ICFO-Institut de Ciencies Fotoniques, Mediterranean Technology Park, 08860 Castelldefels (Barcelona), Spain 

(Dated: February 21, 2012) 

We introduce a symmetrization technique which can be used as an extra step in some continuous- 
variable quantum key distribution protocols. By randomizing the data in phase space, one can 
dramatically simplily the security analysis of the protocols, in particular in the case of collective 
attacks. The main application of this procedure concerns protocols with postselection, for which 
security was established only against Gaussian attacks until now. Here, we prove that under some 
experimentally verifiable conditions, Gaussian attacks are optimal among all collective attacks. 



Quantum key distribution (QKD) is the art of distill- 
ing a secret key among distant parties, Alice and Bob, 
in an untrusted environment. The remarkable feature of 

SKD is that it is secure in an information theoretic sense 
. QKD protocols come in two flavors depending on the 
type of quantum measurement they use: either a photon 
counting measurement for discrete-variable protocols or a 
honiodyne detection for continuous-variable (CV) QKD. 
While the security of the former is now rather well un- 
derstood (with the notable exceptions of the differential 
phase shift Q and coherent one-way Q protocols), secu- 
rity of CV protocols has been more elusive (see [J| for a 
recent review). This is mainly due to the fact that the 
infinite dimensional Hilbert space required to describe 
these protocols makes the analysis quite challenging. 

Among all CVQKD schemes, the protocol GG02 is cer- 
tainly the easiest one to analyze . In this protocol, Al- 
ice sends n coherent states \ak) = \x2k + ix2k+i) to Bob 
who measures the states he receives either with a homo- 
dyne detection (thus randomly choosing one quadrature 
to measure for each state) or a heterodyne detection (in 
which case. Bob measures both quadratures at the same 
time). Alice's modulation is Gaussian, meaning that Xk is 
a centered normal random variable with a given variance. 
In the case of a heterodyne detection for instance @ , Bob 
obtains a classical vector y = [yi , • • • , y2n] which is cor- 
related to Alice's vector x = [xi, • • • , X2n\- In this paper, 
we use bold font to refer to vectors. Then, using param- 
eter estimation, reconciliation and privacy amplification, 
they can extract a secret key. For this specific protocol, 
Gaussian attacks (where the action of the eavesdropper 
can be modeled by a Gaussian quantum channel between 
Alice and Bob) are known to be optimal among collective 
attacks 0-13 ■ Using de Finetti theorem and conditioned 
upon an extra verification step [l3|, these collective at- 
tacks are actually optimal in general in the asymptotic 
limit. The only step which is currently missing in this 
security analysis is a tight reduction from coherent to 
collective attacks in the finite-size regime (TT| . 

The security status of other CVQKD protocols is far 
less advanced. In particular, not much is known for pro- 
tocols using postselection |13 - [l4| . In these protocols, the 
idea is that Alice and Bob will only use some data to 
distill the secret key and discard the rest. More pre- 
cisely, they only keep the data compatible with a posi- 
tive key rate. This method, inspired by advantage distil- 



lation techniques, certainly makes the protocol more ro- 
bust against imperfections such as losses or noise in the 
channel, and potentially gives the best practical CVQKD 
protocol (see Refs. [l4l . [l5j for experimental implemen- 
tations). It is therefore of considerable importance to 
be able to assess its security. Unfortunately, there are 
currently no full security proof for this scheme, not even 
against collective attacks. In fact, the only result avail- 
able so far is an analysis in the case of Gaussian attacks 
[l6l . [r^ . This is. however, far from being sufficient for two 
reasons: first, Gaussian attacks are not believed to be op- 
timal against this protocol; second, one can never prove 
in practice that a given quantum channel is indeed Gaus- 
sian. The problem is that the only tool currently avail- 
able to establish the security of a CV protocol against 
collective attacks, namely Gaussian optimality |18| does 
not seem to help much for protocols with postselection 
(see , however, a recent approach along those lines in Ref. 

In this paper, we introduce a new proof technique 
based on a symmetrization procedure that allows us to 
make some progress concerning the security analysis of 
CVQKD with postselection. In particular, we will show 
how this symmetrization allows us, under some verifiable 
conditions, to consider that the quantum channel is in- 
deed Gaussian, even though the physical channel may 
actually be non-Gaussian. This then means that check- 
ing the security against Gaussian attacks (which can be 
done with present tools) is indeed sufficient to get full 
security against collective attacks, and in fact against 
arbitrary attacks in the asymptotic limit thanks to de 
Finetti theorem [loj . 



I. A SYMMETRIZED PROTOCOL 

The usual technique to prove the security of a Pre- 
pare and Measure (PM) protocol such as GG02 where 
Alice sends coherent states to Bob who measures them, is 
to consider an equivalent Entanglement-Based (EB) pro- 
tocol. In the latter, Alice prepares two-mode squeezed 
vacuum states of which she measures one mode with a 
heterodyne detection and sends the second mode to Bob. 
Interestingly, before Alice and Bob measure their respec- 
tive modes, their share a bipartite state pab- In this 
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paper, we will restrict our attention to collective attacks, 
meaning that at the end of the protocol, Alice and Bob 
share n copies of that state, that is, p^^. 

In general, one cannot perform a perfect tomography 
of this state, simply because it lives in an infinite dimen- 
sional Hilbert space. In the case of protocols without 
postselection, this is not a problem since the secret key 
rate can be safely computed from the the Gaussian state 
with the same first two moments as pab QiIHI' This is 
remarkable because one only needs to compute the co- 
variance matrix of the state instead of its whole density 
matrix. 

Unfortunately, this approach fails in the case of pro- 
tocols with postselection. Indeed, one would then need 
to compute the covariance matrix of the state given it 
was postselected. In principle, one could do this analysis 
with the experimental data obtained from the EB version 
of the protocol; but one cannot directly reconstruct this 
covariance matrix from the data observed in the actual 
PM version of the protocol. Indeed, the probabilistic 
map corresponding to a successful postselection is too 
complicated and one cannot expect to analyze its effect 
on general non-Gaussian states. For this reason, our only 
hope for a security proof seems to be to somehow enforce 
the Gaussianity of the state pab Alice and Bob will use 
in their protocol. The idea is therefore to add an extra 
step to the usual protocol, that will make the state p'^g 
more Gaussian. Let us note S the quantum map induced 
by this symmetrization. 

It is now clear that if one had S {p'a%) — Pg" where pa 
is the bipartite Gaussian state with the same covariance 
matrix as pab, then the security of the symmetrized pro- 
tocol against general collective attacks would be identi- 
cal to the security of the original protocol against Gaus- 
sian attacks. One could then compute the secret key 
rate, simply from the transmission and excess noise of 
the quantum channel, exactly as in the case of protocols 
without postselection. The symmetrization we introduce 
below will not induce an exact Gaussification, but only 
an approximate one. However, the quality of the Gaus- 
sification, characterized by the fidelity between S (p^^) 
and Pq" will increase with n, and tend to 1 if some exper- 
imentally verifiable conditions (on the moment of order 
4 of Pab) are met. 

The symmetrization we consider here was introduced 
in [23| where it was argued that it corresponds to the 
natural symmetry for protocols using a Gaussian mod- 
ulation of coherent states. In the EB scenario, before 
they both perform their heterodyne measurements, Al- 
ice and Bob would apply random conjugate passive lin- 
ear transformations over their n modes. Once this is 
done, they apply the usual postselection protocol. This 
symmetrization can also be used in the PM scenario, 
and crucially, one can simply apply it to the classical 
data X and y of Alice and Bob. More concretely, in 
the PM scenario, Alice and Bob follow the standard sce- 
nario of sending coherent states and performing a het- 
erodyne detection for Bob. Then, Alice draws a ran- 



dom transformation with the Haar measure on the group 
K{n) := 0(2n,]R)n 5*^(271, R) (isomorphic to the unitary 
group U{n)), that is the transformations corresponding 
to linear passive transformations in phase-space. She in- 
forms Bob of her choice of transformation (over the au- 
thenticated classical channel) , and both parties apply this 
transformation to their respective 2n-vectors x and y. 

II. EQUIVALENCE BETWEEN THE EB AND 
PM SYMMETRIZED PROTOCOLS 

In order to study the security of the symmetrized PM 
protocol, one needs to show that its equivalent EB pro- 
tocol corresponds to the one symmetrized through the 
application of random conjugate passive transformations 
in phase-space. It is useful to introduce three different 
distributions that can be used to describe the two sce- 
narios. In order to simplify the exposition, let us first 
consider the analysis of a generic CVQKD protocol in 
the case of collective attacks, meaning that the proto- 
col is entirely described by a single use of the quantum 
channel. First, the PM protocol is naturally described 
by a joint probability distribution P(xi, X2, yi, 2/2) where 
xi,X2 (resp. 1/1,2/2) refers to Alice's (resp. Bob's) mea- 
surement results. The EB scenario is characterized by the 
bipartite state p shared by Alice and Bob before their 
respective measurements. In the context of a CV pro- 
tocol, it is natural to describe this state by its Wigner 
function VF(a;i, X2, j/i, 2/2) where index 1 (resp. 2) refers 
to the first (resp. second) quadrature of Alice or Bob's 
mode. Alternatively, since we restrict ourselves to pro- 
tocols where both Alice and Bob perform a heterodyne 
detection, we can also consider the convenient character- 
ization in terms of the Q-function Q{xi, X2,yi-, t/2) of the 
state p. This Q-function corresponds to the probability 
distribution sampled from when measuring the state with 
heterodyne detection [2l| and is given by: 

(3(2:1, 2^2, 2/1, 2/2) = -\{aA,aB\p\aA,aB), (1) 

where \aA{B)) is a coherent state centered on aA{B) = 
xa{b) + iPAiB) in Alice's (Bob's) phase space. Interest- 
ingly, if we denote Wq the Wigner function of the vacuum, 
then Q simply corresponds to the convolution of W and 
Wo: Q = W^Wo. 

The relation between the two probability distributions 
P and Q can also be made explicit: if Alice measures one 
mode of the two-mode squeezed vacuum with a hetero- 
dyne detection and obtains outcomes xi, X2, she projects 
the second mode on the coherent state |7(xi — 1x2)) where 
the factor 7 = \/2{V — l)/(y + I) depends on the vari- 
ance V of the two-mode squeezed vacuum [l^ls^. This 
means that we have the one-to-one relation: 

(3(21, X2, 2/1, 2/2) = /'(7.Ti,-7a;2,2/i,2/2). (2) 

We now consider general n-mode states. Because of 
the correspondence above, applying a random transfor- 
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mation i? (g) i? with R drawn with the Haar measure on 
K{n) on the classical data represented by the distribution 
P is equivalent to a symmetrization in phase-space corre- 
sponding to the application of random conjugate passive 
linear transformations over the n modes of Alice and Bob. 
Noting Q the group of passive linear transformations in 
phase-space, the state obtained after the symmetrization 
of n copies of the state p (i.e., for a collective attack) is: 



5(p®"):=/ (C/®i7*)p®"(C/® C/*)^dC/, (3) 
Jueg 

where dU is the Haar measure over the group Q. 



III. SKETCH OF THE SECURITY PROOF 

The rest of the paper consists in analyzing the state 
S{p'^"'), and in particular proving that it becomes ap- 
proximately Gaussian under conditions on the second 
and fourth moment of P{xi, 2^2, yi, 1/2) which are usually 
met in practical implementations of a CVQKD protocol. 
Since the three distributions W, Q and P, equivalently 
describe the protocol, we choose here to work with P, 
which is the one directly observable in the practical im- 
plementation of the protocol. 

Our proof will consist of two steps. First, we show that 
the distribution P describing the state after the sym- 
metrization tends to an explicit limiting function, where 
the convergence speed is 0{l/^/n). While one could in 
principle stop at this point and directly compute the se- 
cret key rate that can be extracted from this state, we 
will focus on the experimentally relevant scenario where 
the quantum channel behaves approximately as a Gaus- 
sian channel. In this case, we can bound the distance 
between the limiting distribution describing the whole 
protocol and a Gaussian identically and independently 
distributed (i.i.d.) function (thus corresponding to a col- 
lective Gaussian attack for which the key rate is already 
known) with an error term of order 0{\/y/n). In such a 
practical scenario, one can therefore bound the distance 
between the actual state and the state corresponding to a 
Gaussian attack by an arbitrary small quantity. Taking n 
large enough, the secret key rate of the symmetrized pro- 
tocol is therefore identical to the secret key rate against 
collective Gaussian attacks. 



IV. CONVERGENCE TO A LIMITING 
DISTRIBUTION 



To simplify the notations, we write P the distribution 
corresponding to the state S{p®^). The following lemma 
from |23| (proven in Appendix |X] for completeness) shows 
that this function only depends on 3 variables, instead of 
An for the non-symmetrized scenario. 



Lemma 1. For n > 2, the symmetrized distribution 
P(x,y) = / P(Px,Py)dP, 

JK(n) 



(4) 



where dR refers to the Haar measure on K{n), only de- 
pends on ||x|p,||y||2,x-y. 

Let us note Xi ~ Xi,Yi = yf,Zi = xiyi and 
X" = Er=i^*:^" = E7=iYr^Z" = YJU Because 



P(x, y) only depends on X'' 



, = ||y|| and 



= X • y, it actually corresponds to the probability 
distribution P„ of the vector V = [X'\Y'\ Z'"]: 



P(x,y)dxdy = P„(V^")dy'' 



(5) 



According to the central limit theorem, since the vec- 
tors Vi are i.i.d. (which follows from the collective attack 
assumption), the distribution Py converges to a Gaus- 
sian distribution as n tends to infinity, and one can use 
a multidimensional version of Berry-Esseen theorem to 
bound the distance between the two distributions. Not- 
ing Pq the Gaussian distribution with the same first two 
moments as P„, one can prove that the variational dis- 
tance A between the two distributions is of the form (see 
Appendix |B] for a more precise bound) : 



A 



\Py{V)-PG{V))\dV = 0(^]. (6) 



The scaling law in 0(1 /y/n) is generic for Berry-Esseen 
theorem and the constant factor depends on the covari- 
ance matrix of [X, Z], that is, on the moment of order 
4 of the measurement results {x,y). 

In general, one could compute the secret key rate cor- 
responding to a state described by the distribution Pq. 
Here, we will restrict ourselves to a very concrete sce- 
nario, that of a quantum channel acting like a Gaussian 
channel (like an optical fiber typically [3l|). We insist 
that this is not a new assumption since one can always 
compute the covariance matrix E of the distribution Pq 
above. However, in general, the quantum channel will be 
such that S will be close (up to sampling errors) to the 
covariance matrix obtained for a Gaussian channel. 



V. THE LIMITING DISTRIBUTION Pa IS 
CLOSE TO AN I.I.D. GAUSSIAN DISTRIBUTION 
IN TYPICAL IMPLEMENTATIONS 

In practice, the coherent states are sent through an op- 
tical fiber acting as a Gaussian quantum channel, mean- 
ing that the data obtained by Alice and Bob follow a 
Gaussian distribution. In general, this does not simplify 
the security analysis since observing variables that look 
Gaussian does not mean that they indeed are Gaussian. 
Here, we will show that looking Gaussian is sufficient for 
the bound obtained through Berry-Esseen theorem to be 
useful. Let us consider the case where 
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[Xiyi 



(7) 
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Then, applying the symmetrization and using the re- 
sults of Berry- Esseen theorem, one obtains that the sym- 
metrized (normalized) distribution Py tends to a Gaus- 
sian distribution with covariance matrix Eq: 



(8) 



Unfortunately, however, in a practical protocol, Alice and 
Bob only have access to a finite-precision estimation of 
the covariance matrix, and the one they measure, Eost, 
and that they use in Berry-Esseen theorem will slightly 
differ from the ideal one above E^. The typical esti- 
mation error is of the order of 1/ y/m, if m samples are 
used in the procedure. Assuming that the estimation 
is performed with a (small) constant fraction of the total 
samples n, the typical error will be on the order of 
which is comparable to the error term of the Berry-Esseen 
theorem. This then implies that the variational distance 
between the two final distributions is also of that order 
(see Appendix [Cl for details). 



VI. SECURITY ANALYSIS OF A CV QKD 
PROTOCOL WITH POSTSELECTION 

Using the results above, the distribution P (or equiv- 
alently the Q-function) of the state describing the sym- 
metrized version of the QKD protocol is l/-\/n-close in 
variational distance to a Gaussian distribution. More- 
over, in a practical scenario, this Gaussian distribution 
corresponds to that of an i.i.d. Gaussian state. If one 
can make the error l/i/n small enough, then the security 
of the symmetrized protocol against collective attacks is 
equivalent to that of the usual (non-symmetrized) proto- 
col against Gaussian attacks. In particular, the secret key 
rate for the symmetrized protocol is equal to the secret 
key rate against Gaussian attacks [l^ . \V\ . 

Although the variational distance between the Q- 
functions is a weaker criterion than the usual trace dis- 
tance between the states, one can argue that this dis- 
tance makes sense when considering CV QKD protocols. 
Indeed, if two states have 2e-close Q-functions (for the 
variational distance), it means that the probability to 
successfully distinguish them using heterodyne detection 
is bounded by 1/2 -f e. 

Sampling from the Haar measure on K(n) for n large 
might be quite unpractical. Methods to achieve it in 
complexity O(n^) are known (2^ . [25| . Fortunately, for 
our purpose, it is sufficient to sample from the different 
measure on Kin) provided that the symmetrized state 
can be made arbitrary close to the state S (p*^") of Eq. 
[31 This can be achieved by means of quantum /c-designs 
as presented in Appendix [D] In particular, it is reason- 
able to conjecture that this can be done in complexity 
0(n log n), which would be compatible with a practical 
implementation . 

One could wonder why the symmetrization has to be 
active here in contrast to protocols such as GG02. The 



difference is that the postselection, performed along the 
quadrature axes, introduces some privileged directions 
in phase space. Consequently one needs to actively sym- 
metrize the protocol to make it invariant under rotations 
in phase space. 



VII. CONCLUSION 

In this paper, we provided a first step towards a general 
security proof of CVQKD protocols with postselection. 
Until now, its security was only established in the very 
restricted case of Gaussian attacks, which are very un- 
likely to be optimal. Thanks to an active symmetrization 
of the protocol (performed on the classical data of Alice 
and Bob) , one can show that collective attacks and actu- 
ally arbitrary attacks in the asymptotic limit basically re- 
duce to Gaussian attacks. The present solution is still not 
very practical since one would need to randomly sample 
from the unitary group in a very large dimension. Two 
possible approaches should be considered: either looking 
at a much smaller set of transformations for which the 
sampling can be performed efficiently, or improving the 
bounds derived here, possibly combining the symmetriza- 
tion technique with some de Finetti-type arguments. It 
seems almost clear, at any rate, that the symmetrization 
technique introduced here will be required for any fur- 
ther advance in the study of the security of CV QKD 
with postselection. 
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Appendix A: Proof of Lem ma [1] (Lemma [1] from 

Since the probability distribution P is being random- 
ized under the action of the group K{n) = 0(27i,K.) n 
Sp{2n, R) to give P defined as 



P(x,y) = / P(i?x,i?y)di? 

JKin) 



(Al) 



where dR refers to the Haar measure on K{n), one has: 
P(i?x,i?y) = P(x,y) (A2) 

for any x, y G M^n g^^^^ ^ g j^^^y 

We want to show that any function P : R^" x R^", such 
that P{Rx,Ry) — P(x,y) for any transformation R G 
K{n) only depends on the three following parameters: 
l|x||M|y|P,x-y. 
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Given any four vectors x, x',y, y' G R^" such that 
||x|p = ||x'|p, ||y|p = ||y'|p,x • y = x' • y', it is suf- 
ficient to exhibit a transformation R G Kin) such that 
x' = i?x and y' = Ry to prove Lemma [1] . 

A transformation R G K{n) can be described as a sym- 
plectic map: 



R^R{X,Y) 



X Y 

-Y X 



where the matrices X and Y are such that [26 



x'^x + y^y 

X'^Y 



xx^ 
xy'^ 



- YY^ = 1 
symmetric. 



(A3) 



(A4) 
(A5) 



Note that this matrix is written for reordered vectors of 
the form [xi, xs, • • • , X2n-i, X2,xa,--- , X2n], that is, one 
first writes the n g-quadratures then the n p-quadratures 
for all the vectors. 

Let us introduce the following vectors a, a', b, b' G C" 
defined as 



a/c = X2k-i + ^X2k 

bk = y2fe-i + iy2k 

Then, the conditions read: 



bi 



■ ^2fe-l 

y-zk-i ' 



~ ''■^2k 

iy'2k- 




(A6) 
(A7) 



(A8) 



where Re(x) refers to the real part of x. 

For our purpose, it is therefore sufficient to prove that 
there exists an unitary transformation U G U{n) such 
that [/a = a' and Uh = b'. Indeed, one can split U into 
real and imaginary parts: U = X — lY , and it is easy 
to check that R = R{X, Y) is such that Rx = x' and 

Ry = y'. 

Let us introduce the following notations: A= ||a|p = 
||a'||2,S = ||b||2 ^ ||b'||2 and C = Re(a|b) = Re(a'|b'). 

Consider first the case where a and b are c olinear. 
This means that b — C/Aa and C = ±V AB. Using 
the Cauchy-Schwarz inequality, \C\ — |a' • b'| < ||a'|| • 
||b'|| = V AB with equality if and only if a' and b' are 
colinear. This means that a' and b' are colinear and 
that b' = (C/A) a' . Because ||a|| = ||a'||, the reflexion U 
across the mediator hyperplane of a and a' is a unitary 
transformation that maps a to a'. This reflexion also 
maps b to b'. This ends the proof in the case where a 
and b are colinear. 

Let us now consider the general case where a and b 
are not colinear. It is clear that a' and b' cannot be 
colinear either. We take two bases (a, b, £3, • • • , fn) and 
(a', b', • • • , f^) of (D" and use the Gram-Schmidt pro- 
cess to obtain two orthonormal bases B = (ei, • • • , Gn) 
and B' = (e'l,-- 
62 are given by: 



, e^). Note that vectors ei,e2,e'j^ and 



ei = 



61 = 



A 



e, = 



(ei|b)ei 



||b - (ei|b)ei|| 
b'-(e'i|b')ei 



(eilb)eil 



(A9) 
(AlO) 



Let us call U the unitary operator mapping B to B'. It is 
easy to see that U maps a and b to a' and b', respectively. 
This concludes our proof. 



Appendix B: Distance between the symmetrized 
distribution and a Gaussian distribution: 
Berry-Esseen theorem 

We use a multidimensional local version of the Berry- 
Esseen theorem due to Zitikis. More precisely, Theorem 
1.2 of Hzl reads: 

Theorem 2. Let Vi, ■ ■ ■ ,Vn be a sequence of independent 
and identically distributed d-variate random vectors, let 
Sn — X]r=i '^'^^ ^ first two moments of 

Vi, and let A,nin be the least eigenvalue ofE. Let G be a 
Gaussian random vector with zero mean and covariance 
matrix 1^. Let C be the class of all convex Borel sets. 
Then there exists a universal constant c > such that 



PiV^iSn - m)S"'/' G C) - P(G G C) 
<cVdA-ffE(||Fi||3 



sup 

CGC 

/^, (Bl) 

where Ln{l) ~ '^l^^i^ij a d-dimensional vector 

and 1 1 . 1 1 refers to the Euclidean norm. 

First, we note that the quantity 

sup|F(xGC)-F(yGC)| (B2) 
Cgc 

corresponds to the variational distance between the dis- 
tributions of X and y. 

In the case of CVQKD, we need to consider tridimen- 
sional random vectors Vi = [Xi,Yi, Z.j] and one can im- 
mediately estimate fi and E from the experimental data. 
Using the notations of the main text and applying The- 
orem [2] gives 



P4V)-PGiV))\dV 
< cVsxJl'^E (\\X^ + Yl + Zlf/^ 



n, 



(B3) 



where Pq corresponds to the multivariate Gaussian dis- 
tribution with the same first two moments as P„. 



Appendix C: Error due to the finite estimation 
sample 

Let us assume that the variables {xk,yk) follow a cen- 
tered bivariate normal distribution, as typical in experi- 
mental implementations of CVQKD. 

During the parameter estimation, Alice and Bob need 
to estimate the fourth moments of {xk,yk) given by the 
covariance matrix E: 

{^IvD ivt) i^-y^) 

{xlv,) (x.y^) (x^v^^) 
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Alternatively, one can describe this matrix by the vector 
y^ = [{xt),{xhi)Axhi)Axiyf)Ayf)]- in order to esti- 
mate this vector, one uses the estimator V"^ defined as 



(Cl) 



where ii, ■ ■ ■ , im are m randomly chosen indices among 
{!,••• ,n}. Using the mutlivariate version of the Cen- 
tral Limit Theorem, one obtains that the estimator V™ 
converges to the true value and that the error follows a 
normal distribution. 

More precisely, let us note Eg the true covariance ma- 
trix and Eost the estimated matrix, i.e.. 



{x^){y^)+2{x,y,)^ 3{y^f 3{y^){xiy,) 



and 



- Y. 

771 ' ^ 



3 3 2 2 

x^ yi xiy^ 



(C2) 



(C3) 



Then, the Central Limit Theorem asserts that the ran- 
dom matrix Y^(Ecst — Sg) converges in distribution to a 
centered multivariate normal distribution with a covari- 
ance matrix depending on moments of order 8 of (xk, Uk)- 
We do not explicitate this matrix here as it is rather cum- 
bersome, but it is straightforward to compute it. 

The result of this analysis is that the error in esti- 
mating the correct covariance matrix Eg scales as 1/ y/m, 
where m is the number of samples used. In order to 
obtain an error of the same order of magnitude as the 
one due to Berry-Esseen theorem, one should use a con- 
stant fraction of the data for the parameter estimation. 
In that case, the covariance matrix would be estimated 
with a precision 1 / ^Jn. 

We now prove that this error for the covariance ma- 
trices translates into an error (computed with respect to 
the variational distance) of the same magnitude for the 
probability distributions. 

Let us first consider the case of univariate normal dis- 
tributions, that is two normal distributions erf) and 
A/'(0, cr|) with (72 > cTi- Let us note gi and g2 their re- 
spective density function. One has: 



\gi{x) -g2ix)\dx 



2erf (72 




2crf CTi 




where erf(a;) ~ J^^ e * dt is the error function. In 

particular, if one has <72 = <^i+S where 5 ~ 0(1/ \/n) is a 
small error, then a first order expansion of the expression 
above gives 



\9iix) - g2{x)\dx = S. 



1 



(C4) 



One can extend this analysis to the case of multivari- 
ate normal distributions with covariance matrices differ- 
ing by an error of the order of l/y/n, and one would 
get that the variational distance between the two distri- 
butions is also of the order of 1/y/n. For lisibility, we 
omit the precise bound here but it can be computed in a 
straightforward manner. 



Appendix D: Approximate symmetrization using 
efficient construction of quantum fc-designs 

Sampling from the group K(n) is equivalent to sam- 
pling from the unitary group U (n) . Indeed, any map in 
K{n) can be described by its action on the annihilation 
operators on the n modes. Let us note ai (resp. bi) 
the annihilation operator on the i"' mode of Alice (resp. 
Bob). A map U S Kin) is described by the unitary Ui,j 
that transforms a; into 'Yl^=i'^i,3^j- consider a 

general state p g {%a ® Hb)'^"' , 



E 



(Dl) 



where i° = (ij, ^21 ' ' ' 1 *n) describes the photon distribu- 
tion in Alice's n modes (and similarly for Bob with i**). 



The state = 



n 



'{bi)'' 100) is 



transformed under the action oi U ® U* into 

■a -b 

StH E-M«n (E-lA] 100). (D2) 



Vi°lF! 



Let us fix a maximal photon number N together with 
the projector IIjv on the subspace of Ha ®'Hb spanned 
by Fock states i^) with a total photon number less or 
equal to N . For some given first four moments of p, there 
exists a constant Cg such that taking N = Cfji leads to 



N 



< e. 



(D3) 



Noting pn ^ nArpnJy, one observes that ([/ ®U*)pn{U® 
U*)'^ is a polynomial of degree N in Ui,j. Consider an 
approximate A'^-design z^, then for any k < N , one has 



(C/® C/*)p^" {U®U*)^dU 



Y,iU{v) ® U*{v)) {U{v) ® U* (i.))1 



< 



^design- 



(D4) 



Hence, it is sufficient to use an approximate A'^-design in- 
stead of the Haar measure on the unitary group U{n) in 
order to symmetrize the state p^r, up to some arbitrary 
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small error edosign- Interestingly, efficient constructions 
of such approximate A^-designs are known [2^ . In these 
constructions, the number of unitaries in the design scales 
as rP'^^^ which means that one needs O(nlogn) bits of 
randomness to draw one such unitary (since N is pro- 
portional to the number of modes). Unfortunately, the 
construction provided in (28j only works in the regime 



where N = 0(n/ log n), which is close to, but not ex- 
actly the regime of interest here. Nevertheless, the exis- 
tence of this construction gives hope that one could con- 
struct an approximate A^-design also in the regime where 
N = 0{n). If this were true, then one could efhciently 
(in time O(rilogn)) perform the symmetrization studied 
in the main text. 
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